This invention relates in general to security of digital information and more specifically to a certification system for digital information transfer.
Digital information has become extremely important in all aspects of commerce, education, government, entertainment and management. In many of these applications, the ability to ensure the privacy, integrity and authenticity of the information is critical. As a result, several digital security mechanisms have been developed to improve security.
One approach to digital security that is commonly used is for a certificate authority (CA) to issue a certificate to a certificate holder. The holder can then provide the certificate to a third party as an attestation by the CA that the holder who is named in the certificate is in fact the person, entity, machine, email address user, etc., that is set forth in the certificate. And that a public key in the certificate is, in fact, the holder's public key. People, devices, processes or other entities dealing with the certificate holder can rely upon the certificate in accordance with the CA's certification practice statement.
A certificate is typically created by the CA digitally signing, with its own private key, identifying information submitted to the CA along with the public key of the holder who seeks the certificate. A certificate usually has a limited period of validity, and can be revoked earlier in the event of compromise of the corresponding private key of the certificate holder, or other revocable event.
One standardized approach to today's digital security is referred to as the Public Key Infrastructure (PKI). PKI provides for use of digital certificates to authenticate the identity of a certificate holder, or to authenticate or certify other information. Typically, a PKI certificate includes a collection of information to which a digital signature is attached. A CA that a community of certificate users trusts attaches its digital signature and issues the certificates to various users and/or devices within a system.
If a certificate has expired, another certificate can be obtained by going through the proper steps to contact a CA and obtain another valid certificate. This approach may work well where, for example, certificates are assigned to users and a user is responsible for obtaining, updating (e.g., when a user's identification information changes) and renewing that user's certificate. However, the generation, transmission and updating of certificates in association with hardware devices (i.e., the hardware devices are each associated with a certificate) may introduce problems in certificate management, transmission, control, use, etc., especially where the number of devices is large.